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Code Length 
| code [identifier] Length | 
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Configuration 
! Define a RADIUS server 
radius-server host 10.0.0.100 
radius-server key MyRadiusKey 
! Configure 802.1X to authenticate via AAA 
aaa new-model 
aaa authentication dot1x default group radius 
! Enable 802.1X authentication globally 
| dot1x system-auth-control 


Global Configuration 


I! Static access mode Interface Configuration | 


switchport mode access 

! Enable 802.1X authentication per port 
dotlx port-control auto 

! Configure host mode (single or multi) 
dot1x host-mode single-host 

! Configure maximum authentication attempts 
dot1x max-reauth-req 

! Enable periodic reauthentication 
dot1x reauthentication 

! Configure a guest VLAN 

dotlx guest-vlan 123 

! Configure a restricted VLAN 

dot1x auth-fail vlan 456 

dotlx auth-fail max-attempts 3 
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Terminology 


Extensible Authentication Protocol (EAP) 
A flexible authentication framework defined in RFC 3748 


EAP Over LANs (EAPOL) 
EAP encapsulated by 802.1X for transport across LANs 


Supplicant 
The device (client) attached to an access link that requests 
authentication by the authenticator 


Authenticator 
The device that controls the status of a link; typically a 
wired switch or wireless access point 


Authentication Server 
A backend server which authenticates the credentials 
provided by supplicants (for example, a RADIUS server) 


Guest VLAN 
Fallback VLAN for clients not 802.1X-capable 


Restricted VLAN 
Fallback VLAN for clients which fail authentication 


802.1X Packet Types EAP Codes 
O EAP Packet 1 Request 
1 EAPOL-Start 2 Response 
2 EAPOL-Logoff 3 Success 
3 EAPOL-Key 4 Failure 
4 EAPOL-Encap-ASF-Alert EAP Req/Resp Types 
Interface Defaults 1 Identity 
Max Auth Requests 2 2 Notification 
Reauthentication Off 3 Nak 
Quiet Period 60s 4 MD5 Challenge 
Reauth Period ihr 5 One Time Password 
Server Timeout 30s 6 Generic Token Card 
Supplicant Timeout 30s 254 Expanded Types 
Tx Period 30s 255 Experimental 


Port-Control Options 


force-authorized 
Port will always remain in authorized state (default) 


force-unauthorized 
Always unauthorized; authentication attempts are ignored 


auto 
Supplicants must authenticate to gain access 


Troubleshooting 
show dotix [statistics] [interface <interface>] 
dot1x test eapol-capable [interface <interface>] 


dotlx re-authenticate interface <interface> 


